Tyler Muth’s Blog

Technology with a focus on Oracle, Application Express and Linux

RMAN Encrypted Backups

Posted by Tyler Muth on September 8, 2007

A number of recent high profile data thefts have resulted from lost or stolen backups that were not encrypted. Offsite backups are a good first-step in a Disaster Recovery plan, but they also create a huge risk for data theft. Even if the backup is not offsite, a backup sitting around your office represents nicely packaged target for someone to steal. If you need a reality check, take a look at some of the events listed on the Chronology of Data Breaches:

  • Bank of America: Lost backup tape, 1,200,000 records
  • Ameritrade: Lost backup tape, 200,000 records
  • Time Warner: Lost backup tapes, 600,000 records
  • CitiFinancial: Lost backup tapes, 3,900,000 records

Encrypted backups provide a huge improvement in security without having to change your application code or database structures. Obviously, sensitive data stored unencrypted in the database is still a problem, but it’s typically a much more challenging problem to solve. More on that issue in future blog posts…

Oracle offers several solutions to encrypt backups. Oracle Secure Backup is designed for direct backups to tape, offers several options for encryption, and even comes in a free “Express” version for tape devices directly attached to a single server. Starting with 10gR2, RMAN can also encrypt backups to disk when used in conjunction with the Advanced Security Option (ASO) for the database. I’m only going to cover the RMAN solution in this post since I don’t have access to a tape device.

RMAN encryption can either use a password, an Oracle Wallet, or both as keys to encrypt a backup. If you choose to use both a wallet and a password to encrypt, you only need to one of the keys to decrypt your backup. So, choosing to use both options doesn’t make your backup more secure, it simply allows you to use either method for decryption in case you lose the wallet or forget the password. The beginning of this article on TDE provides a simple example of configuring a wallet. For more detailed information, here’s a link to the documentation for RMAN Encrypted Backups.

The following 5 minute screencast demonstrates RMAN encrypted backups, first using Enterprise Manager Database Control, then in more detail using the RMAN command-line interface.

ScreenCast Click here for the full-size version[splashcast GKBY3325TQ]


Unencrypted Backup:
rman target /
configure channel device type disk format '/backup/%N_%s' maxpiecesize 2 G;
backup tablespace test1 tag=unencrypted;

Password only Encrypted Backup:
rman target /
set encryption on identified by 'L!eFLW@Bf=U,ptC>' only;
backup tablespace test1 tag=encrypted;

Password and Wallet Encrypted Backup:
rman target /
configure encryption for database on;
set encryption on identified by 'L!eFLW@Bf=U,ptC>';
backup tablespace test1 tag=encrypted;

Restore Tablespace from Backup:
rman target /
sql 'alter tablespace test1 offline immediate';
set decryption identified by 'L!eFLW@Bf=U,ptC>';
restore tablespace test1;
recover tablespace test1;
sql 'alter tablespace test1 online';

8 Responses to “RMAN Encrypted Backups”

  1. […] Muth writes about RMAN encrypted backups: “A number of recent high profile data thefts have resulted from lost or stolen backups that […]

  2. Don Seiler said

    Tyler, is there supposed to be audio in the screencast? Just wanted to make sure I wasn’t missing anything.

  3. Don Seiler said

    Gah nevermind. I misread the title screen the first 5 times I looked at it.

  4. […] are a prime target, and an easy one to solve.  I blogged about RMAN Encrypted Backups, there’s also Oracle Secure Backup (free for a single machine), as well as a plethora of […]

  5. Bundit said

    Your screencast is no longer available. Can you upload it again ?

  6. rmanbackup said

    Thank you so much for this precious information.
    If you need any extra information about RMAN.
    You can visit http://www.rmanbackup.com web site.

  7. This level of Salvestrol supplementation (3,000 points per day) was maintained for three months.
    After mobilization of the left colon, meticulous dissection was performed to clearly demonstrate the vascular anatomy at the left
    hilum. These treatments are decided and executed after finding out cancer and its size.

    Cancer,Breast Cancer Surgery,Liver Cancer Surgeon,New york

  8. Hi there, this weekend is fastidious for me, because this
    time i am reading this fantastic educational post here at my residence.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: